The Simple Cipher

Cryptanalysis

1. a) Define cryptography.

The use of mathematical operations to protect messages traveling between parties or stored on a
computer.

b) What is confidentiality?

Confidentiality means that people who intercept messages cannot read them.

c) Distinguish between plaintext and ciphertext.

The plaintext is the original message to be delivered. When the plaintext is encrypted, it becomes
ciphertext and cannot be read by an interceptor. However, the receiver can decrypt the ciphertext back
to plaintext.

d) Which is transmitted across the network—the plaintext or the ciphertext?

Ciphertext

e) What is a cipher?

A cipher is a mathematical process used in encryption and decryption.

f) What is a key?

A random string of 40 to 4,000 bits (ones and zeros)

g) What must be kept secret in encryption for confidentiality?

As long as the key is kept secret, both parties will still have confidentiality.

h) What is a cryptanalyst?

Someone who cracks encryption

2. Complete the enciphering in Figure 3-2.

15
l

16

23

16

9
n

12

20

25

d
Substitution and Transposition Ciphers

Substitution Ciphers

Transposition Ciphers

Real Encryption

3. a) Which leaves letters unchanged—transposition or substitution ciphers?

Transposition leaves letters unchanged.

b) Which leaves letters in their original positions—transposition or substitution ciphers?

Substitution ciphers

4. Complete the enciphering in Figure 3-3.

11 h

12 n

13 i

21 t

22 w

23 t
 31 e

32 o

33 s

Key Part 1

Key Part 2

n
o

Cipher text = hnitwteos

Ciphers and Codes

5. a) In codes, what do code symbols represent?

In codes, code symbols represent complete words or phrases.

b) What is the advantage of codes?

The advantage of codes is that people can do encoding and decoding manually, without a computer.

c) What are the disadvantages?

The disadvantage of codes is that code books must be distributed ahead of time, and if one code book is
intercepted, all confidentiality is lost.

Symmetric Key Encryption

7. a) Why is the word symmetric used in symmetric key encryption?

Because two parties only use a single key for encryption and decryption in both directions

b) When two parties communicate with each other using symmetric key encryption, how many keys are
used in total?

Only 1 key is used in symmetric key encryption.

c) What type of encryption cipher is almost always used in encryption for confidentiality?

Nearly all encryption for confidentiality uses symmetric key encryption ciphers.

8. a) What is the best way to thwart exhaustive searches by cryptanalysts?

Simply make the key so long that the time needed for attackers to crack the key is far too long for
practicality.
b) If a key is 43 bits long, how much longer will it take to crack it by exhaustive search if it is extended to
45 bits?

Because each bit doubles the time it takes to crack a key, extending the key length by 2 bits would
increase the time to crack by 2^2 = 4.

If a key is 43 bits long, it’ll take 4.4E+12 tries, and if it is 45 bits long, the crack will take 1.76E+13 tries.

c) If it is extended to 50 bits?

Extending the key to 50 bits = 27 increase = 128 times longer to crack.

d) If a key is 40 bits long, how many keys must be tried, on average, to crack it?

240 bits can generate 1,099,511,627,776 combinations.

Normally, a cryptanalyst must try half of all possible combinations to succeed.

Half of 1,099,511,627,776 is 549,755,813,888.

So on average, a brute-force password cracker will need about 550 billion tries.

e) How long must a symmetric encryption key be to be considered strong today?

Symmetric encryption keys must be 100 bits or longer to be considered a strong key.
Human Issues in Cryptography

9. Why is cryptography not an automatic protection?

Cryptography is not an automatic protection because it is not infallible. The humans that utilize
cryptography can do things that either completely compromise the key or provide sufficient data to
allow more efficient cracking of the key. Companies must have and enforce processes that do not
compromise the strengths of cryptography.

It is not an automatic protection because if a sender or receiver fails to keep the key secret, an
eavesdropper may learn the key and read every message. Poor communication discipline in general can
defeat the strongest cipher and longest key. Also, communicating partners can have a false sense of
security because they will think that the cracked encryption method is still protecting them. The reality
of cryptography is that it is not an automatic protection. It only works if companies have and enforce
organizational processes that do not compromise the technical strengths of cryptography.

Symmetric Key Encryption Ciphers

RC4

10. a) What are the two advantages of RC4?

First, RC4 is extremely fast and uses only a small amount of RAM.[1] This means that it is ideal for small
handheld devices and was viable for even the earliest 802.11 wireless access points. Second, RC4 can
use a broad range of key lengths. For most ciphers, longer key length is better. However, RC4 was widely
used primarily because its shortest optional key length is 40 bits.

b) Why is an RC4 key length of 40 bits commonly used?

An RC4 key length of 40 bits is commonly used because national export limits in many countries once
limited commercial products up to 40-bit encryption.
c) Is this a strong key?

No. It is less than 100 bits long, so it is not strong. It was selected because it was weak.

The Data Encryption Standard (DES)

11. a) How long is a DES key?

DES keys are 56 bits long (64 bits with 8 redundant bits to allow parties to detect incorrect keys).

b) Is this a strong length?

DES is only 56 bits, therefore, it is not strong. (It needs to be 100 or more.)

c) Describe block encryption with DES.

The DES key is 56 bits long. It comes in a block of 64 bits, of which 56 bits represent the key. The other 8
bits are redundant in the sense that you can compute them if you know the other 56 bits. This
redundancy allows parties to detect incorrect keys. DES encrypts messages 64 bits at a time. The inputs
for the encryption are the key and the 64-bit block of plaintext. The output is a 64-bit block of
ciphertext.

Triple DES (3DES)

12. a) How does 3DES work?

It applies DES 3 times, with two or three different keys.

b) What are the two common effective key lengths in 3DES?

112 bit and 168 bit are the two common effective key lengths in 3DES.

c) Are these lengths strong enough for communication in corporations?

3DES is strong enough for communication in corporations.

d) What is the disadvantage of 3DES?

DES is slow and having to apply DES three times is extremely slow, therefore, extremely expensive in
terms of processing cost. 3DES is prohibitively slow for use on personal computers.

Advanced Encryption Standard (AES)

13. a) What is the big advantage of AES over 3DES?

It offers 3 alternative key lengths instead of two. AES is efficient enough in terms of processing power
and RAM requirements to be used on a wide variety of devices.

b) What are the three key lengths offered by AES?

128 bit, 192 bit and 256 bit.

c) Which strong symmetric key encryption cipher can be used with small mobile devices?
AES can be used with small mobile devices.

d) Which symmetric key encryption cipher probably will dominate symmetric key encryption in the near
future?

AES

Other Symmetric Key Encryption Ciphers

14. a) It is claimed that new and proprietary encryption ciphers are good because cryptanalysts will
not know them. Comment on this.

The fact that a cryptanalyst does not know a proprietary encryption cipher does not mean that it is a
good, strong cipher. In reality, it is very difficult to create a vulnerability-free cipher that is not cracked
quickly by an expert cryptanalyst.

b) What is security through obscurity, and why is it bad?

It relies on attackers not to obtain learnable information and it is bad because it could result in
catastrophic loss of security if known.